Post on 08-Nov-2021
Risk, Reputation and Accountability
A G O V E R N A N C E P E R S P E C T I V E
O F D I S R U P T I V E E V E N T S
4 Risk, Reputation and Accountability
Table of Contents
1 The Escalation of Reputation Risk 2
2 What’s the Damage and Can We Avoid It? 4
Reputation Crises 4
Cyber Attacks 6
Natural Disasters 9
3 Governance Matters 14
About the Author
2 Risk, Reputation and Accountability
The Escalation of Reputation Risk
This is a study of disruptive events. Decisions we make around these
sudden, disorderly and often dramatic events have a direct impact on our
companies’ fortunes.
Lying at the heart of this dynamic is the risk to corporate reputation, an asset built up usually
over many years of wise decision-making and valued by investors. But the virtuous cycle between
reputation and value is both fickle and fragile. Barely a week passes without headlines of some
beleaguered chief executive battling their way through a reputation crisis, a cyber attack or a
natural disaster. When the virtuous cycle is broken, it carries enduring consequences for the
company’s future (and usually for the chief executive too).
1
3Pentland Analytics
The impact of disruptive events on financial performance is changing. The research summarised in
this report provides new evidence that:
1. The impact of reputation crises on shareholder value has increased.
2. The range of perils for which executives are held accountable has broadened.
3. The demands on corporate governance and leadership have intensified.
Share prices (transparent and changing daily) facilitate detailed analysis, and the research focuses
on shareholder value as the core metric of performance. A shareholder value analysis offers an
evidence-based, forward-looking assessment of companies’ ability to manage threats to financial
performance and offers the keys to successful recovery. The principles uncovered apply equally
to firms of a different ownership structure, be they privately-held, family-owned, under mutual
ownership or even state-owned.
The study examines the impact on shareholder value of reputation crises, cyber attacks and
natural disasters in the context of the last 20 years. The evidence reveals increasingly demanding
stakeholders, where executive management now is held accountable for damage from perils
previously considered to be bad luck. The perception of adverse outcomes has changed from bad
luck to bad management. The signals are apparent
already that such a trend is here to stay, and will extend
to emerging risks from climate change and technologies
yet to be invented.
Thankfully, we can learn from the evidence to identify
a clear path that will help companies thrive in adversity,
and practical guidance and solutions exist to help
build enterprise resilience. I hope that you will find
this latest research of interest as you strengthen your
organisation’s resilience against disruptive events.
I am very grateful to FM Global for access to their engineering data, subject to strict confidentiality,
and for their support of this work. FM Global is a leading commercial property insurer whose
engineers inspect over 100,000 locations annually, yielding a vast, unique and proprietary data set.
Dr Deborah PrettyFounderPentland Analytics
The perception of
adverse outcomes
has changed from
bad luck to bad
management.
4 Risk, Reputation and Accountability
What’s the Damage and Can We Avoid It?
The bad news is that the damage from a disruptive event to long-term
performance can be substantial. The good news is that we can avoid it by
making the right decisions, pre- and post-loss, and by applying solutions
that exist already.
And the best news of all is that if we manage these risks particularly well, we may surprise investors
on the upside, and actually emerge with an enhanced reputation and higher valuation.
R E P U T A T I O N C R I S E S
The average impact on shareholder value from a reputation crisis is -5% across the post-event year.
This is a modelled share price reaction: over and above the relevant market index, risk-adjusted
for beta (the price sensitivity of the stock to the market), plus a few other adjustments such as
for dividends and stock splits. Included in the portfolio of reputation crises are mass fatality
events, major property losses, communications blunders, cyber attacks, product or service failures,
accounting irregularities and tales of executive malfeasance. The result is a clean measurement of
firm-specific impact, distinct from market-wide influences.
The average hit to share prices of 5% across a portfolio of reputation crises has remained consistent
throughout the last 20 years of conducting this study. In 2000, there were 25 crises in the study
database. Now, in 2020, there are over 150 events and the database is updated continually. The
average picture, however, masks significant differences between firms in their ability to recover
from crisis.
Shown in Figure 1, are two discrete groups, somewhat frankly called Winners and Losers, according
to their ability to recover value following a reputation crisis. Aligned on Event Day zero, are the
dates on which news of each crisis broke into the public domain; thereby diversifying across
different market cycles. On the x-axis, are shown 252 trading days: one calendar year with Saturdays
and Sundays stripped out. On the y-axis, is the modelled share price impact, where the horizontal
line at zero indicates stock market expectations in the absence of a crisis.
2
5Pentland Analytics
FIGURE 1 The value impact
VA
LUE
IMPA
CT
(%)
-30
-20
-10
0
10
20
30
EVENT TRADING DAYS
0 20 40 60 80 100 120 140 160 180 200 220 240
WINNERS (2020) LOSERS (2020)WINNERS (2000) LOSERS (2000)
First, it is clear that the market makes its judgement rapidly as to expectations of future
performance. Within the first few trading days, it becomes apparent whether the affected firm
is emerging as a Winner or a Loser. Share prices move in response to new information. When
crisis strikes, investors learn more about a company and, in particular, about the capabilities of
its management team, than investors would learn ordinarily. This additional information forms
the basis of a new market view of future performance. The market may be impressed and revise
upwards its consensus estimate of future cash flow performance. Or investors’ confidence in the
management team may be eroded, and market expectations are revised downwards. Either way, the
revised view tends to be sustained over at least the post-event year.
Second, the value at risk from a reputation crisis is
considerable. Winners in the 2000 study outperformed
market expectations by 10% while the Losers
underperformed by 15%. By 2020, these impacts on
value have doubled, with the Winners outperforming by
almost 20% and the Losers underperforming by 30%.
In the intervening two decades, the speed of information flow around the world has accelerated
tremendously. Wireless and wearable technology, the introduction of camera phones, the
burgeoning of social media, and the growth in intangible asset values all have conspired to
exacerbate corporate reputation risk. Cultural and generational expectations have shifted, with
the attendant aggravation of demands on business leaders whose every decision carries with it a
value consequence.
The value at risk
from a reputation
crisis is considerable.
6 Risk, Reputation and Accountability
Third, the opportunity to outperform is real. It is possible to emerge from a crisis with an enhanced
reputation, depending on how well-prepared is the company and how well does it manage the
aftermath. Figure 2 summarises the key drivers of value recovery, consistent through the 20 years
of study.
The most important of these is risk preparedness. It is trivially true that companies that are more
prepared and commit to loss prevention are less likely to incur loss. It is also the case that well-
prepared companies are able to withstand the disruption better and recover strongly. All this
requires leadership, both prior to any event in shaping the corporate culture and providing the
necessary investment, and in the aftermath when navigating the storm. Effective communication,
backed up by credible action, is critical. Finally, and arguably the most challenging, is a commitment
to change. Executive management needs to convince a sceptical marketplace that the company
now is fundamentally different; that lessons have been learned and that the renewed confidence of
investors is deserved. This requires awareness, humility and a demonstrable willingness to change.
C Y B E R A T T A C K S
Much has been written in the media to suggest that a
data breach or cyber attack has no long-term impact
on share price. The evidence suggests a more complex
picture. In the 2000 study portfolio, there were no
examples of cyber attack but, in the 2020 study
portfolio, there are currently 30 examples of major
cyber attack. When the impact on shareholder value is
measured, the results for this subset follow those of the
broader reputation crisis portfolio. Winners and Losers
emerge with similar value impacts, and attributes akin to
those summarised in Figure 2.
However, when the subset of 30 major cyber attacks over the last ten years is partitioned into those
that occurred in the first five years and those from the most recent five years, it appears that a
change has taken place. The more recent subset underperforms the earlier subset by almost 15%
(Figure 3).
Well-prepared
companies are
able to withstand
the disruption
better and
recover strongly.
7Pentland Analytics
FIGURE 2 Hallmarks of Winners and Losers
T H E W I N N E R S
P R E P A R E D N E S S
L E A D E R S H I P
C O M M U N I C A T I O N
A C T I O N
C H A N G E
Deep commitment to loss prevention and mitigation
Strong visible leadership from CEO
Accurate and well-coordinated communication
Instant, global response and action
True remorse: commitment to meaningful change
T H E L O S E R S
Failure to prioritise risk preparedness
Weak or delegated leadership, failure to take responsibility
Opaque, partial or inconsistent communication
Delayed, absent or limited action
Minimal, inauthentic, relucant contrition (if at all)
8 Risk, Reputation and Accountability
In the early days of cyber attack, the market viewed the event more as an act of terrorism: external
and unfortunate. Companies that suffered a data breach emerged relatively unscathed in share
price terms. That view of corporate culpability has changed. Where, initially, cyber attacks were
viewed as bad luck, they are now viewed as bad management, and companies are held responsible
for their decisions concerning data protection and the mitigation of harm.
The introduction by the European Union of General Data Protection Regulation (GDPR),
implemented in May 2018, encourages this view by placing the onus of responsibility firmly on
corporate management. Failure to comply with GDPR can result in fines of up to 4% of annual
global turnover or EUR20 million, whichever
is greater. The size of the fine is a direct
function of the commitment made to invest in
effective cybersecurity measures to prepare
for such an event, and of the decisions made
in the immediate aftermath to identify,
report and respond rapidly to any breach. The
recommendations mirror well the hallmarks
of Winners.
The California Consumer Privacy Act (CCPA),
effective January 2020, is less stringent than GDPR. Penalties for non-compliance with CCPA are
more benign also; but both regulations increase significantly the financial penalties for inadequate
management of cyber risk, more particularly for decisions taken that failed to prioritise risk
preparedness. Any signal that erodes investor confidence in the wisdom of managerial decision-
making is going to lower valuations.
FIGURE 3 Changing impact from cyber attack
VA
LUE
IMPA
CT
(%)
-15
-10
-5
0
5
10
15
EVENT TRADING DAYS
0 20 40 60 80 100 120 140 160 180 200 220 240
CYBER ATTACKS (2010-2014)CYBER ATTACKS (2015-2019)
Companies are held
responsible for their
decisions concerning
data protection and the
mitigation of harm.
9Pentland Analytics
N A T U R A L D I S A S T E R S
Twenty years ago, or even 10 years ago, the weight of value impact from natural disasters tended
to fall on banks and (re)insurers, rather than on non-financial corporations. The insurance industry
is in the business of bearing losses from such events, while banks may suffer a deterioration in their
loan portfolios and consequent weakening in their lending capacity. With the change in market
perception from bad luck to bad management already established in the realm of cyber risk, it is
logical to revisit natural disasters.
Taking the 2017 U.S. hurricane season as an example,
Figure 4 illustrates the average value impact on
those non-financial, U.S.-listed companies (with
annual revenue exceeding USD5 billion) that
disclosed in their 2017 10-K statements financial
damage from Hurricanes Harvey, Irma or Maria. The
share price reaction is modelled across one year from
the date Hurricane Harvey formed in the Atlantic. It
will be remembered that Hurricanes Irma and Maria
arrived close behind, all three hurricanes forming
within a period of five weeks. Across the post-event year, the 52 companies identified suffered an
average 5% drop in modelled shareholder value, equivalent to a total USD18 billion.
This average value impact of -5% is equal to the average impact across the portfolio of reputation
crises. At least from this case, it appears that investors may have started to assess differently the
ramifications of natural disaster for non-financial companies.
FIGURE 4 New impacts from natural disaster
VA
LUE
IMPA
CT
(%)
-10
-5
0
5
10
17-Aug-17 17-Oct-17 15-Dec-17 16-Feb-18 19-Apr-18 19-Jun-18 17-Aug-18
Companies reporting financial damage from Harvey, Irma or Maria
Investors have
started to assess
differently the
ramifications of
natural disaster.
10 Risk, Reputation and Accountability
In order to investigate further, Pentland Analytics analysed engineering data from FM Global, a
leading commercial property insurer that specialises in property protection and risk management.
A portfolio was constructed of clients with more than 10% of their global insured property values
in an affected area. Affected areas were defined as counties directly impacted by the peril flood
during Hurricane Harvey, and by the peril wind during Hurricanes Irma or Maria. The affected
areas are identified using satellite and aerial imagery, and are confirmed by the AIR Catastrophe
Modelling System.
The percentage of applicable engineering recommendations that were completed across each
client’s property portfolio in the affected area was calculated. The applicable engineering
recommendations focused on improvements to flood protection for properties in the affected area
for Hurricane Harvey, and on wind protection for properties in affected areas for Irma and Maria.
Figure 5 shows that, across clients that reported financial damage to the Securities and Exchange
Commission (SEC) in their 2017 10-K, fewer than half of the applicable recommendations had been
completed. Moreover, this group included no company that had completed all its recommendations.
In contrast, across the client portfolio with no material financial damage to report, almost two-
thirds of the engineering recommendations had been completed, and over a third of this group had
completed all their recommendations, as they pertain to wind and flood protection.
FIGURE 5 Property protection works
ClientsReportingDamage
ClientsNotReportingDamage
0% 20% 40% 60% 80% 100%
Completed RecommendationsActive Recommendations
41% of Recs completed 59% outstanding
63% of Recs completed 37% outstanding
11Pentland Analytics
These results suggest first, that the engineers’
advice is well-targeted and, second, that it pays to
complete their recommendations, at least
with respect to the exposures of wind and flood.
Such analysis relates only to the direct financial
damage, however, and does not offer insight
to the long-term impact on performance. To
evaluate the consensus market estimate of future,
long-term performance, we return to shareholder
value analysis.
Depicted in Figure 6 is the modelled share price
performance, risk-adjusted and in excess of the
market index, of the two client groups over the post-event year. Those clients who completed all the
applicable recommendations at their properties in the affected areas outperformed by 10% those
clients with wind and flood recommendations outstanding. The companies with well-protected
facilities are not hindered by disruption, and the market revises upwards its estimates of future
cash flow. In light of this new information, confidence in the decision-making and capability of these
firms’ executive management teams is revived.
This is a powerful result that demonstrates the value advantage of investing in loss prevention
and risk preparedness. In respect of flood protection, the investment case is straightforward:
the solutions are highly cost-effective and simple to install. When it comes to protection against
windstorm, however, assigning the capital investment required can be a challenge.
FIGURE 6 Prevention measures add value
VA
LUE
IMPA
CT
(%)
-5
0
5
10
15
17-Aug-17 17-Oct-17 15-Dec-17 16-Feb-18 19-Apr-18 19-Jun-18 17-Aug-18
Completed RecommendationsActive Recommendations
Those clients who completed the recommendations outperformed by 10% those with recommendations outstanding.
12 Risk, Reputation and Accountability
FIGURE 7 It pays to be well-protected
In sympathy with chief financial officers everywhere who face stretched budgets, further analysis
was conducted to determine whether the same value advantage is achieved by completing “most”
of the recommendations, such as over 80% of them, or less than 80%. Figure 7 shows that the
bulk of outperformance is achieved by those clients who consider resilience as binary: either their
properties are well-protected or they are not.
VA
LUE
IMPA
CT
(%)
-5
0
5
10
15
17-Aug-17 17-Oct-17 15-Dec-17 16-Feb-18 19-Apr-18 19-Jun-18 17-Aug-18
Completed Recs Active Recs> 80% Completed Recs < 80% Completed Recs
Why this result should be so stark puzzled this writing economist, until shared with an engineer who
pointed out bluntly,
“Look - if you have four holes in your boat, and you plug three of them, you’re still gonna sink”!
Quite.
Figure 8 translates into dollar terms the average value impact per client for each portfolio:
companies with well-protected facilities as regards wind and flood exposure, and those with
recommendations outstanding.
Those companies with property portfolios resilient to flooding and windstorm were able to add an
average USD1.9 billion to their valuations over the year following Hurricanes Harvey, Irma and Maria,
while those not fully protected lost an average USD1.4 billion from their valuations. The spread
between those well-protected and those without comprehensive wind and flood protection is
USD3.3 billion on average in value terms.
13Pentland Analytics
FIGURE 8 The cost of disruption
Figure 8 translates into dollar terms the average value impact per client for each portfolio: companies with well-protected facilities as regards wind and flood exposure, and those with recommendations outstanding. Figure 8: The Cost of Disruption
Those companies with property portfolios resilient to flooding and windstorm were able to add an average USD1.9 billion to their valuations over the year following Hurricanes Harvey, Irma and Maria, while those not fully protected lost an average USD1.4 billion. The spread between those well-protected and those without comprehensive wind and flood protection is USD3.3 billion on average in value terms. This is not the cost of property lost or damaged. It is not even the loss in profits. Much of these direct costs may be covered by insurance. The value at risk is the cost of opportunities foregone. It is the cost of distracted management and missed targets, of market share permanently lost to the competition, of growth opportunities neglected and the legacy of dereliction in the strategic plan. The research provides new evidence that investors have started to embrace natural disasters in their realm of risk assessment. More pertinently, a firm’s value trajectory has started to reflect market opinion of executive decisions made to contain the threat of damage from natural hazards. The damage incurred from these natural perils that was considered previously to be bad luck is considered now to be poor management. It is logical to expect growing scrutiny on firms’ climate resilience. Decisions made to protect properties exposed to coastal flooding and the increased risk of wildfire, for example, would be central to such a risk assessment. Equally, given the direction of regulatory travel witnessed with respect to cyber risk, it would be logical for regulators to consider extending corporate accountability also to the management of exposure to natural hazards and climate change.
This is not the cost of property lost or damaged. It is not even the loss in profits. Much of these
direct costs may be covered by insurance. The value at risk is the cost of opportunities foregone. It
is the cost of distracted management and missed targets, of market share permanently lost to the
competition, of growth opportunities neglected and the legacy of dereliction in the strategic plan.
The research provides new evidence that investors have
started to embrace natural disasters in their scope of risk
assessment. More pertinently, a firm’s value trajectory
has started to reflect market opinion of executive
decisions made to contain the threat of damage from
natural hazards. The damage incurred from these natural
perils that was considered previously to be bad luck is
considered now to be poor management.
It is logical to expect growing scrutiny on firms’ climate
resilience. Decisions made to protect properties exposed
to coastal flooding and the increased risk of wildfire, for
example, would be central to such a risk assessment.
Equally, given the direction of regulatory travel witnessed with respect to cyber risk, it would be
logical for regulators to consider extending corporate accountability also to the management of
exposure to natural hazards and climate change.
This is not the cost of property lost or damaged. The value at risk is the cost of opportunities foregone.
14 Risk, Reputation and Accountability
Governance Matters
Leadership. Reputation risk. Regulatory compliance. Long-term value.
Strategic oversight. Independent judgement. Accountability. The common
thread is corporate governance.
The last 20 years have seen the doubling in value impact from a reputation crisis, the arrival of
cyber risk for which accountability now rests firmly with the organisation whose boundaries were
breached, and the extension to natural hazards of the stock market’s assessment of pre-loss and
post-loss managerial decisions with respect to asset protection.
Climate change is in the crosshairs and the inexorable rise of technology continues to generate new
risks. Public equity capital is increasingly competitive and mobile. If firms do not seek to generate
and protect returns from that capital, it will go elsewhere. The demands on executive management
possibly never have been greater.
As managerial agents, we manage business operations on behalf of our company owners, be they
private company owners, mutual owners, shareholders or the state. Our common objective is to
protect and build long-term value for our owners. Effective governance holds us to account for our
decisions and actions, as they impact value creation and destruction. We are held accountable now
for events, perils and behaviours where previously we were not. Cultural, technological, climatic and
now regulatory changes demand a greater level of accountability from us all.
Given the substantial value at risk from a reputation crisis, a cyber attack or a natural disaster, it is
incumbent upon us to do everything that we can ahead of time to protect our owners’ assets, and
to act swiftly in the immediate aftermath to minimise damage. If solutions exist to prevent loss or
mitigate damage, and we do not employ them, the inescapable verdict is that our (in)actions are
incompatible with the objective to protect long-term owner value.
Commitment to risk preparedness and crisis management is a governance imperative.
3
About the Author
D R D E B O R A H P R E T T Y
Deborah has been at the forefront of risk analytics for over 25 years and is
the Founder of Pentland Analytics.
Her research has been published extensively in
academic and professional journals, and she has been
honoured as guest speaker at numerous conferences
around the world. Deborah authored the book, Risk
Financing Strategies – the impact on shareholder value
(1999), was a key contributor to the Financial Times
Mastering Risk series and served for many years on the
editorial advisory board of Corporate Finance Review.
For her work in insurance economics, Deborah
was appointed Research Fellow at the University
of Oxford. Previous corporate roles include as co-
founder and Principal of Oxford Metrica, Assistant
Director at Sedgwick Energy, and risk analyst at
Tillinghast. Deborah holds a BA (Hons) degree in
industrial economics with mathematics from the
University of Nottingham, and a DPhil from the
University of Oxford.
17Pentland Analytics
About Pentland AnalyticsPentland Analytics provides advanced analytics and advisory
services to the executive management of the world’s leading
companies. The firm converts complex business issues into
innovative analytics solutions that yield new insights and
direction. The results inform strategic decisions and help to
build clients’ resilience, reputation and long-term owner value.
pentlandanalytics.com
© 2020 Pentland Analytics LimitedAll rights reserved